I'm using FreeIPA as an LDAP-backend for my flask-app. So far I've used flask-simpleldap with OpenLDAP to get the group membership of a user, which works fine with the following options:
LDAP_BASE_DN="dc=myrealm,dc=com"
LDAP_REALM_NAME="MyFunRealm"
LDAP_OBJECTS_DN="dn"
LDAP_USER_OBJECT_FILTER="(&(objectclass=inetorgperson)(uid=%s))"
LDAP_GROUP_MEMBERS_FIELD="member"
LDAP_GROUP_OBJECT_FILTER="(&(objectclass=groupofnames)(member=%s))"
LDAP_GROUP_MEMBER_FILTER="member=%s"
LDAP_GROUP_MEMBER_FILTER_FIELD="cn"
I want to change the LDAP structure of my users to place groups inside groups, but the above settings only gives the users' "first level" group. (Sorry I'm unfamiliar with LDAP and it's terminology).
How can I change the query/filter to get a list of all groups the user is a member of through group-in-group membership?
I don't think it is possible considering your setup (ie flask + openldap)
OpenLDAP does not (from my knowledge) have built in mechanism to perform filter on nested groups. And flask does the request for you, so you can't implement the recursive search easily.
In other directory (AD for example) you can specify the extensible matching rule for filtering nested groups, something along this line :
(&(objectclass=groupofnames)(member:1.2.840.113556.1.4.1941:=%s))But this specific extensible matching rule does not exist in OpenLDAP